---
layout: layouts/base.njk
---
<div class="o-layout__sidebar"></div>
<div class="o-layout__main o-layout-typography">
	<h1 id="security-policy">Security Policy</h1>
	<h2 id="responsible-disclosure-security-policy">Responsible disclosure security policy</h2>
	<p>
		A responsible disclosure policy helps protect users of the project from publicly disclosed 
		security vulnerabilities without a fix by employing a process where vulnerabilities are first 
		triaged in a private manner, and only publicly disclosed after a reasonable time period that 
		allows patching the vulnerability and provides an upgrade path for users.
	</p>
	<p>
		When contacting us directly via email, we will do our best efforts to respond in a reasonable
		time to resolve the issue. When contacting a security program their disclosure policy will 
		provide details on time-frame, processes and paid bounties.
	</p>
	<p>
		We kindly ask you to refrain from malicious acts that put our users, the project, or any of 
		the project’s team members at risk.
	</p>
	
	<h2 id="reporting-a-security-issue">Reporting a security issue</h2>
	<p>
		We consider the security of our systems a top priority. But no matter how much effort we put 
		into system security, there can still be vulnerabilities present.
	</p>
	<p>
		If you discover a security vulnerability, please use one of the following means of communications 
		to report it to us:
	</p>
	<ul>
		<li>
			<p>
				Report the security issue to the Financial Times through the 
				<a href="https://hackerone.com/financialtimes">HackerOne program</a>. They will help triage the 
				security issue and work with all involved parties to remediate and release a fix. If you are not 
				already invited to our HackerOne program, please email 
				<a href="mailto:origami.support+security@ft.com">origami.support+security@ft.com</a> and we will 
				add you to the program.
			</p>
		</li>
		<li>
			<p>
				Report the security issue to the project maintainers directly at 
				<a href="mailto:origami.support+security@ft.com">origami.support+security@ft.com</a>.
			</p>
		</li>
	</ul>
	<p>
		Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken 
		into account to acknowledge your contributions.
	</p>
</div>
